On 2019/2/27 13:33, Gao Xiang wrote:
> This patch resolves the following page use-after-free issue,
> z_erofs_vle_unzip:
> ...
> for (i = 0; i < nr_pages; ++i) {
> ...
> z_erofs_onlinepage_endio(page); (1)
> }
>
> for (i = 0; i < clusterpages; ++i) {
> page = compressed_pages[i];
>
> if (page->mapping == mngda) (2)
> continue;
> /* recycle all individual staging pages */
> (void)z_erofs_gather_if_stagingpage(page_pool, page); (3)
> WRITE_ONCE(compressed_pages[i], NULL);
> }
> ...
>
> After (1) is executed, page is freed and could be then reused, if
> compressed_pages is scanned after that, it could fall info (2) or
> (3) by mistake and that could finally be in a mess.
>
> This patch aims to solve the above issue only with little changes
> as much as possible in order to make the fix backport easier.
>
> Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
> Cc: <stable@xxxxxxxxxxxxxxx> # 4.19+
> Signed-off-by: Gao Xiang <gaoxiang25@xxxxxxxxxx>
Reviewed-by: Chao Yu <yuchao0@xxxxxxxxxx>
Thanks,
